topic Count of multiple unique events per field in Splunk Search

Count of multiple unique events per field

larunrahul — Sun, 14 Jul 2024 12:20:58 GMT

Hi Folks,

I have two types of events that look like this

Type1:

TXN_ID=abcd inbound call INGRESS

Type2:

TXN_ID=abcd inbound call EGRESS

i want to find out how many events of each type per TXN_ID. If the counts per type don't match per TXN_ID, I want to out put that TXN_ID

I know that we can do stats count by TXN_ID. But how do so do that Per event type in same query?

Appreciate the help.

Thanks

Re: Count of multiple unique events per field

tscroggins — Sun, 14 Jul 2024 14:39:00 GMT

Hi @larunrahul,

You can use the rex, chart, and where commands to extract the call type, summarize the events, and filter the results, respectively:

| makeresults format=csv data="_raw TXN_ID=abcd inbound call INGRESS TXN_ID=abcd inbound call EGRESS TXN_ID=efgh inbound call INGRESS" | extract | rex "inbound call (?<call_type>[^\\s]+)" | chart count over TXN_ID by call_type | where INGRESS!=EGRESS

TXN_ID EGRESS INGRESS efgh 0 1

I've used the extract command to automatically extract the TXN_ID field in the example, but if your events are already indexed, Splunk will have done that for you automatically.